notes: microsoft sql server 2017 and azure sql database · alter any database ddl trigger ... •...
Post on 27-Jul-2019
280 Views
Preview:
TRANSCRIPT
Top Level Server Permissions
Database Level Permissions
ALTER ANY APPLICATION ROLE – See Application Roles Permissions Chart
ALTER ANY ASSEMBLY – See Assembly Permissions Chart
ALTER ANY ASYMMETRIC KEY – See Asymmetric Key Permissions Chart
ALTER ANY CERTIFICATE – See Certificate Permissions Chart
ALTER ANY COLUMN ENCRYPTION KEY
ALTER ANY COLUMN MASTER KEY
ALTER ANY CONTRACT – See Service Broker Permissions Chart
ALTER ANY DATABASE AUDIT
ALTER ANY DATABASE DDL TRIGGER
ALTER ANY DATABASE EVENT NOTIFICATION – See Event Notifications Permissions Chart
ALTER ANY DATABASE EVENT SESSION
ALTER ANY DATABASE SCOPED CONFIGURATION ǂ
ALTER ANY DATASPACE
ALTER ANY EXTERNAL DATA SOURCE
ALTER ANY EXTERNAL FILE FORMAT
ALTER ANY EXTERNAL LIBRARY - See EXTERNAL LIBRARY PERMISSIONS §
ALTER ANY FULLTEXT CATALOG – See Full-text Permissions Chart
ALTER ANY MESSAGE TYPE – See Service Broker Permissions Chart
ALTER ANY REMOTE SERVICE BINDING – See Service Broker Permissions Chart
ALTER ANY ROLE – See Database Role Permissions Chart
ALTER ANY ROUTE – See Service Broker Permissions Chart
ALTER ANY SCHEMA – See Database Permissions – Schema Objects Chart
ALTER ANY SECURITY POLICY
ALTER ANY SERVICE – See Service Broker Permissions Chart
ALTER ANY SYMMETRIC KEY – See Symmetric Key Permissions Chart
ALTER ANY USER – See Connect and Authentication – Database Permissions Chart
CREATE AGGREGATE
CREATE DEFAULT
CREATE FUNCTION
CREATE PROCEDURE
CREATE QUEUE
CREATE RULE
CREATE SYNONYM
CREATE TABLE
CREATE TYPE
CREATE VIEW
CREATE XML SCHEMA COLLECTION
Top Level Database Permissions
CONTROL DATABASE
ADMINISTER DATABASE BULK OPERATIONS
ALTER ANY DATABASE SCOPED CONFIGURATION
ALTER ANY MASK
AUTHENTICATE
BACKUP DATABASE
BACKUP LOG
CHECKPOINT
CONNECT REPLICATION – See Connect and Authentication – Database Permissions Chart
DELETE
EXECUTE
INSERT
REFERENCES
SELECT
UPDATE
VIEW DEFINITION
TAKE OWNERSHIP
EXECUTE ANY EXTERNAL SCRIPT
KILL DATABASE CONNECTION
SHOWPLAN
SUBSCRIBE QUERY NOTIFICATIONS
UNMASK
VIEW ANY COLUMN MASTER KEY DEFINITION
VIEW ANY COLUMN ENCRYPTION KEY DEFINITION
VIEW DATABASE STATE
CONTROL SERVER
STATEMENTS:
CREATE DATABASE AUDIT SPECIFICATION
CREATE/ALTER/DROP database triggers
PARTITION & PLAN GUIDE statements
CREATE ANY DATABASE
ALTER ANY DATABASE
ALTER ANY SERVER AUDIT
ALTER ANY EVENT NOTIFICATION
AUTHENTICATE SERVER
VIEW ANY DEFINITION
ALTER TRACE
VIEW SERVER STATE
STATEMENTS:
Applies to subordinate objects in the database. See
Database Permissions – Schema Objects chart.
VIEW CHANGE TRACKING ON OBJECT::<name>
SELECT ON OBJECT::<table |view name>
INSERT ON OBJECT::< table |view name>
UPDATE ON OBJECT::< table |view name>
DELETE ON OBJECT::< table |view name>
EXECUTE ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name>
REFERENCES ON OBJECT|TYPE|XML SCHEMA COLLECTION:<name>
VIEW DEFINITION ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name>
TAKE OWNERSHIP ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name>
RECEIVE ON OBJECT::<queue name>
SELECT ON OBJECT::<queue name>
ALTER ON OBJECT|TYPE|XML SCHEMA COLLECTION::<name>
VIEW CHANGE TRACKING ON SCHEMA::<name>
SELECT ON SCHEMA::<name>
INSERT ON SCHEMA::<name>
UPDATE ON SCHEMA::<name>
DELETE ON SCHEMA::<name>
EXECUTE ON SCHEMA::<name>
REFERENCES ON SCHEMA::<name>
VIEW DEFINITION ON SCHEMA::<name>
TAKE OWNERSHIP ON SCHEMA::<name>
ALTER ON SCHEMA::<name>
CREATE SEQUENCE
SELECT ON DATABASE::<name>
INSERT ON DATABASE::<name>
UPDATE ON DATABASE::<name>
DELETE ON DATABASE::<name>
EXECUTE ON DATABASE::<name>
REFERENCES ON DATABASE::<name>
VIEW DEFINITION ON DATABASE::<name>
TAKE OWNERSHIP ON DATABASE::<name>
ALTER ON DATABASE::<name>
ALTER ANY SCHEMA
CREATE SCHEMA
CREATE AGGREGATE
CREATE DEFAULT
CREATE FUNCTION
CREATE PROCEDURE
CREATE QUEUE
CREATE RULE
CREATE SYNONYM
CREATE TABLE
CREATE TYPE
CREATE VIEW
CREATE XML SCHEMA COLLECTION
VIEW ANY DEFINITION
VIEW ANY DATABASE
ALTER ANY DATABASE
Server Permissions Database Permissions Schema PermissionsObject PermissionsType PermissionsXML Schema Collection Permissions
Database Permissions – Schema Objects
Notes:
• To create a schema object (such as a table) you must have CREATE permission for that object type
plus ALTER ON SCHEMA::<name> for the schema of the object. Might require REFERENCES ON
OBJECT::<name> for any referenced CLR type or XML schema collection.
• To alter an object (such as a table) you must have ALTER permission on the object (or schema), or
CONTROL permission on the object.
CONTROL ON SERVER CONTROL ON DATABASE::<name> CONTROL ON SCHEMA ::<name> CONTROL ON OBJECT|TYPE|XML SCHEMA COLLECTION ::<name>
OBJECT permissions apply to the following database objects:
AGGREGATE
DEFAULT
FUNCTION
PROCEDURE
QUEUE
RULE
SYNONYM
TABLE
VIEW
(All permissions do not apply to all objects. For example
UPDATE only applies to tables and views.)
• To drop an object (such as a table) you must have ALTER permission on the schema or CONTROL
permission on the object.
• To create an index requires ALTER OBJECT::<name> permission on the table or view.
• To create or alter a trigger on a table or view requires ALTER OBJECT::<name> on the table or view.
• To create statistics requires ALTER OBJECT::<name> on the table or view.
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY DATABASE
CONTROL ON DATABASE::<name>
VIEW DEFINITION ON DATABASE::<name>
REFERENCES ON DATABASE::<name>
ALTER ON DATABASE::<name>
ALTER ANY FULLTEXT CATALOG
CREATE FULLTEXT CATALOG
Full-text PermissionsServer Role Permissions
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY SERVER ROLE
VIEW DEFINITION ON SERVER ROLE::<name>
TAKE OWNERSHIP ON SERVER ROLE::<name>
ALTER ON SERVER ROLE::<name>
CONTROL ON SERVER ROLE::<name>
Most permission statements have the format :
AUTHORIZATION PERMISSION ON SECURABLE::NAME TO PRINCIPAL• AUTHORIZATION must be GRANT, REVOKE or DENY.
• PERMISSION is listed in the charts below.
• ON SECURABLE::NAME is the server, server object, database, or database object and its name. (ON SECURABLE::NAME is omitted
for server-wide and database-wide permissions.)
• PRINCIPAL is the login, user, or role which receives or loses the permission. Grant permissions to roles whenever possible.
Sample grant statement: GRANT UPDATE ON OBJECT::Production.Parts TO PartsTeam
Denying a permission at any level, overrides a related grant.
To remove a previously granted permission, use REVOKE, not DENY.
• The CONTROL SERVER permission has all permissions on the instance of SQL Server or SQL Database.
• The CONTROL DATABASE permission has all permissions on the database.
• Permissions do not imply role memberships and role memberships do not grant permissions. (E.g. CONTROL SERVER does not imply
membership in the sysadmin fixed server role. Membership in the db_owner role does not grant the CONTROL DATABASE permission.)
However, it is sometimes possible to impersonate between roles and equivalent permissions.
• Granting any permission on a securable allows VIEW DEFINITION on that securable. It is an implied permissions and it cannot be revoked,
but it can be explicitly denied by using the DENY VIEW DEFINITION statement.
• SQL Database permissions refer to version 12.
• Object owners can delete them but they do not have full permissions on them.
• A DENY on a table is overridden by a GRANT on a column. However, a subsequent DENY on the table will remove the column GRANT.
Server Level Permissions for SQL Server
Notes:
• Creating a full-text index requires ALTER permission on the table and REFERENCES permission on the full-text catalog.
• Dropping a full-text index requires ALTER permission on the table.
STATEMENTS: DROP DATABASE
How to Read this Chart• Most of the more granular permissions are included in more than one higher level scope permission. So permissions can be inherited
from more than one type of higher scope.
• Black, green, and purple arrows and boxes point to subordinate permissions that are included in the scope of higher a level permission.
• Brown arrows and boxes indicate some of the statements that can use the permission.
• Permissions in black apply to both SQL Server 2016 and Azure SQL Database
• Permissions marked with § apply only to SQL Server 2017
• Permissions in red apply only to SQL Server 2016 and later
• Permissions marked with ǂ apply to SQL Server 2017 and Azure SQL Database
• Permissions in blue apply only to Azure SQL Database
• The newest permissions are underlined
CREATE SERVER ROLE
Availability Group Permissions
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY AVAILABILITY GROUP
VIEW DEFINITION ON AVAILABILITY GROUP::<name>
TAKE OWNERSHIP ON AVAILABILITY GROUP::<name>
ALTER ON AVAILABILITY GROUP::<name>
CONTROL ON AVAILABILITY GROUP::<name>
CREATE AVAILABILITY GROUP
ADMINISTER BULK OPERATIONS
ALTER ANY AVAILABILITY GROUP – See Availability Group Permissions
CREATE AVAILABILTY GROUP
ALTER ANY CONNECTION
ALTER ANY CREDENTIAL
ALTER ANY DATABASE – See Database Permission Charts
CREATE ANY DATABASE – See Top Level Database Permissions
ALTER ANY ENDPOINT – See Connect and Authentication
CREATE ENDPOINT – See Connect and Authentication
ALTER ANY EVENT NOTIFICATION
CREATE DDL EVENT NOTIFICATION
CREATE TRACE EVENT NOTIFICATION
ALTER ANY EVENT SESSION
ALTER ANY LINKED SERVER
ALTER ANY LOGIN – See Connect and Authentication
ALTER ANY SERVER AUDIT
ALTER ANY SERVER ROLE – See Server Role Permissions
CREATE SERVER ROLE – See Server Role Permissions
ALTER RESOURCES (NA. Use instead.)
ALTER SERVER STATE
VIEW SERVER STATE
ALTER SETTINGS
ALTER TRACE
AUTHENTICATE SERVER
CONNECT SQL – See Connect and Authentication
CONNECT ANY DATABASE
IMPERSONATE ANY LOGIN
SELECT ALL USER SECURABLES
SHUTDOWN
UNSAFE ASSEMBLY
EXTERNAL ACCESS ASSEMBLY
VIEW ANY DEFINITION
VIEW ANY DATABASE – See Database Permissions – Schema
* NOTE: The SHUTDOWN statement requires the SQL Server SHUTDOWN permission. Starting, stopping, and pausing the Database
Engine from SSCM, SSMS, or Windows requires Windows permissions, not SQL Server permissions.
STATEMENTS:
CREATE/ALTER/DROP server triggers
OPENROWSET(BULK….
CREATE/ALTER/DROP CREDENTIAL
DBCC FREE…CACHE and SQLPERF
SELECT on server-level DMV’s
sp_configure, RECONFIGURE
sp_create_trace
Allows server-level delegation
CONTROL SERVER
STATEMENTS:
CREATE/ALTER/DROP server triggers
OPENROWSET(BULK …
KILL
CREATE/ALTER/DROP CREDENTIAL
Server scoped event notifications
Server scoped DDL event notifications
Event notifications on trace events
Extended event sessions
sp_addlinkedserver
DBCC FREE…CACHE and SQLPERF
SELECT on server-level DMV’s
sp_configure, RECONFIGURE
sp_trace_create
Allows server-level delegation
SHUTDOWN*
CREATE/ALTER/DROP SERVER AUDITand SERVER AUDIT SPECIFICATION
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY LOGIN
CONNECT SQL
CONTROL ON LOGIN::<name>
Connect and Authentication – Server Permissions
VIEW ANY DEFINITION
ALTER ANY ENDPOINT
CREATE ENDPOINT
CONNECT ON ENDPOINT::<name>
TAKE OWNERSHIP ON ENDPOINT::<name>
VIEW DEFINITION ON ENDPOINT::<name>
ALTER ON ENDPOINT::<name>
CONTROL ON ENDPOINT::<name>
Notes:
• The CREATE LOGIN statement creates a login and grants CONNECT SQL to that login.
• Enabling a login (ALTER LOGIN <name> ENABLE) is not the same as granting CONNECT SQL permission.
• To map a login to a credential, see ALTER ANY CREDENTIAL.
• When contained databases are enabled, users can access SQL Server without a login. See database user
permissions.
• To connect using a login you must have :
o An enabled login
o CONNECT SQL
o CONNECT for the database (if specified)
VIEW DEFINITION ON LOGIN::<name>
IMPERSONATE ON LOGIN::<name>
ALTER ON LOGIN::<name>
STATEMENTS:
ALTER LOGIN, sp_addlinkedsrvlogin
DROP LOGIN
CREATE LOGIN
STATEMENTS:
ALTER ENDPOINT
DROP ENDPOINT
CREATE ENDPOINT
STATEMENTS:
ALTER SERVER ROLE <name> ADD MEMBER
DROP SERVER ROLE
CREATE SERVER ROLE
STATEMENTS:
ALTER AVAILABILITY GROUP
DROP AVAILABILITY GROUP
CREATE AVAILABILITY GROUP
CONTROL ON FULLTEXT CATALOG::<name>
VIEW DEFINITION ON FULLTEXT CATALOG::<name>
REFERENCES ON FULLTEXT CATALOG::<name>
TAKE OWNERSHIP ON FULLTEXT CATALOG::<name>
ALTER ON FULLTEXT CATALOG::<name>
STATEMENTS:
ALTER FULLTEXT CATALOG
CREATE FULLTEXT CATALOG
Symmetric Key Permissions
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY DATABASE
VIEW DEFINITION ON DATABASE::<name>
REFERENCES ON DATABASE::<name>
ALTER ON DATABASE::<name>
ALTER ANY SYMMETRIC KEY
CREATE SYMMETRIC KEY
CONTROL ON DATABASE::<name>
VIEW DEFINITION ON SYMMETRIC KEY::<name>
REFERENCES ON SYMMETRIC KEY::<name>
TAKE OWNERSHIP ON SYMMETRIC KEY::<name>
ALTER ON SYMMETRIC KEY::<name>
CONTROL ON SYMMETRIC KEY::<name>
STATEMENTS:
ALTER SYMMETRIC KEY
DROP SYMMETRIC KEY
CREATE SYMMETRIC KEY
Note: OPEN SYMMETRIC KEY requires
VIEW DEFINITION permission on the
key (implied by any permission on the
key), and requires permission on the
key encryption hierarchy.
Asymmetric Key Permissions
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY DATABASE
VIEW DEFINITION ON DATABASE::<name>
REFERENCES ON DATABASE::<name>
ALTER ON DATABASE::<name>
ALTER ANY ASYMMETRIC KEY
CREATE ASYMMETRIC KEY
CONTROL ON DATABASE::<name>
VIEW DEFINITION ON ASYMMETRIC KEY::<name>
REFERENCES ON ASYMMETRIC KEY::<name>
TAKE OWNERSHIP ON ASYMMETRIC KEY::<name>
ALTER ON ASYMMETRIC KEY::<name>
CONTROL ON ASYMMETRIC KEY::<name>
STATEMENTS:
ALTER ASYMMETRIC KEY
DROP ASYMMETRIC KEY
CREATE ASYMMETRIC KEY
Note: ADD SIGNATURE requires
CONTROL permission on the key, and
requires ALTER permission on the
object.
Certificate Permissions
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY DATABASE
VIEW DEFINITION ON DATABASE::<name>
REFERENCES ON DATABASE::<name>
ALTER ON DATABASE::<name>
ALTER ANY CERTIFICATE
CREATE CERTIFICATE
CONTROL ON DATABASE::<name>
VIEW DEFINITION ON CERTIFICATE::<name>
REFERENCES ON CERTIFICATE::<name>
TAKE OWNERSHIP ON CERTIFICATE::<name>
ALTER ON CERTIFICATE::<name>
CONTROL ON CERTIFICATE::<name>
STATEMENTS:
ALTER CERTIFICATE
DROP CERTIFICATE
CREATE CERTIFICATE
Note: ADD SIGNATURE requires CONTROL permission on the certificate, and requires ALTER permission on the object.
Connect and Authentication – Database Permissions
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY DATABASE
CONNECT ANY DATABASE
VIEW DEFINITION ON DATABASE::<name>
ALTER ON DATABASE::<name>
ALTER ANY USER
CONNECT REPLICATION ON DATABASE::<name>CONNECT ON DATABASE::<name>
CONTROL ON DATABASE::<name>
VIEW DEFINITION ON USER::<name>
IMPERSONATE ON USER::<name>
ALTER ON USER::<name>
CONTROL ON USER::<name>
STATEMENTS:
ALTER USER
DROP USER
CREATE USER
NOTES:
• When contained databases are enabled, creating a database user
that authenticates at the database, grants CONNECT ON DATABASE
to that user, and it can access SQL Server without a login.
• Granting ALTER ANY USER allows a principal to create a user based
on a login, but does not grant the server level permission to view
information about logins.
STATEMENTS:
DROP FULLTEXT CATALOG
DROP FULLTEXT STOPLIST
DROP FULLTEXT SEARCH PROPERTYLIST
CONTROL ON FULLTEXT STOPLIST::<name>
VIEW DEFINITION ON FULLTEXT STOPLIST::<name>
REFERENCES ON FULLTEXT STOPLIST::<name>
TAKE OWNERSHIP ON FULLTEXT STOPLIST::<name>
ALTER ON FULLTEXT STOPLIST::<name>
STATEMENTS:
ALTER FULLTEXT STOPLIST
CREATE FULLTEXT STOPLIST
CONTROL ON SEARCH PROPERTY LIST::<name>
VIEW DEFINITION ON SEARCH PROPERTY LIST::<name>
REFERENCES ON SEARCH PROPERTY LIST::<name>
TAKE OWNERSHIP ON SEARCH PROPERTY LIST::<name>
ALTER ON SEARCH PROPERTY LIST::<name>
STATEMENTS:
ALTER SEARCH PROPERTY LIST
CREATE SEARCH PROPERTY LIST
Service Broker Permissions (SQL Server only)
Notes:• The user executing the CREATE CONTRACT statement must have REFERENCES permission on
all message types specified.• The user executing the CREATE SERVICE statement must have REFERENCES permission on
the queue and all contracts specified. • To execute the CREATE or ALTER REMOTE SERVICE BINDING the user must have
impersonate permission for the principal specified in the statement.• When the CREATE or ALTER MESSAGE TYPE statement specifies a schema collection, the user
executing the statement must have REFERENCES permission on the schema collection specified.
• See the ALTER ANY EVENT NOTIFICATION chart for more permissions related to Service Broker.
• See the SCHEMA OBJECTS chart for QUEUE permissions.• The ALTER CONTRACT permission exists but at this time there is no ALTER CONTRACT
statement.
CONTROL ON REMOTE SERVICE BINDING::<name>
VIEW DEFINITION ON REMOTE SERVICE BINDING::<name>
TAKE OWNERSHIP ON REMOTE SERVICE BINDING::<name>
ALTER ON REMOTE SERVICE BINDING::<name>
STATEMENTS:
ALTER REMOTE SERVICE BINDING
DROP REMOTE SERVICE BINDING
CREATE REMOTE SERVICE BINDING
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY DATABASE
CONTROL ON DATABASE::<name>
VIEW DEFINITION ON DATABASE::<name>
ALTER ON DATABASE::<name>
ALTER ANY REMOTE SERVICE BINDING
CREATE REMOTE SERVICE BINDING
CONTROL ON CONTRACT::<name>
VIEW DEFINITION ON CONTRACT::<name>
REFERENCES ON CONTRACT::<name>
TAKE OWNERSHIP ON CONTRACT::<name>
ALTER ON CONTRACT::<name>
STATEMENTS:
DROP CONTRACT
CREATE CONTRACT
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY DATABASE
CONTROL ON DATABASE::<name>
VIEW DEFINITION ON DATABASE::<name>
REFERENCES ON DATABASE::<name>
ALTER ON DATABASE::<name>
ALTER ANY CONTRACT
CREATE CONTRACT
CONTROL ON SERVICE::<name>
VIEW DEFINITION ON SERVICE::<name>
SEND ON SERVICE::<name>
TAKE OWNERSHIP ON SERVICE::<name>
ALTER ON SERVICE::<name>
STATEMENTS:
ALTER SERVICE
DROP SERVICE
CREATE SERVICE
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY DATABASE
CONTROL ON DATABASE::<name>
VIEW DEFINITION ON DATABASE::<name>
ALTER ON DATABASE::<name>
ALTER ANY SERVICE
CREATE SERVICE
STATEMENTS:
ALTER ROUTE
DROP ROUTE
CREATE ROUTE
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY DATABASE
CONTROL ON DATABASE::<name>
VIEW DEFINITION ON DATABASE::<name>
ALTER ON DATABASE::<name>
ALTER ANY ROUTE
CREATE ROUTE
CONTROL ON ROUTE::<name>
VIEW DEFINITION ON ROUTE::<name>
TAKE OWNERSHIP ON ROUTE::<name>
ALTER ON ROUTE::<name>
STATEMENTS:
ALTER MESSAGE TYPE
DROP MESSAGE TYPE
CREATE MESSAGE TYPE
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY DATABASE
CONTROL ON DATABASE::<name>
VIEW DEFINITION ON DATABASE::<name>
REFERENCES ON DATABASE::<name>
ALTER ON DATABASE::<name>
ALTER ANY MESSAGE TYPE
CREATE MESSAGE TYPE
CREATE QUEUE
CONTROL ON MESSAGE TYPE::<name>
VIEW DEFINITION ON MESSAGE TYPE::<name>
REFERENCES ON MESSAGE TYPE::<name>
TAKE OWNERSHIP ON MESSAGE TYPE::<name>
ALTER ON MESSAGE TYPE::<name>
Permission Syntax
CREATE DATABASE **
ALTER ON DATABASE::<name>
STATEMENTS: CREATE DATABASE, RESTORE DATABASE ** NOTE: CREATE DATABASE is a database level permission that can only be
granted in the master database. For SQL Database use the dbmanager role.
STATEMENTS:
EXECUTE AS
STATEMENTS:
EXECUTE AS
STATEMENTS:
ALTER AUTHORIZATION
Notes:
• ALTER AUTHORIZATION for any object might also require IMPERSONATE or
membership in a role or ALTER permission on a role.
• ALTER AUTHORIZATION exists at many levels in the permission model but is
never inherited from ALTER AUTHORIZATION at a higher level.
Database Role Permissions
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY DATABASE
VIEW DEFINITION ON DATABASE::<name>
ALTER ON DATABASE::<name>
ALTER ANY ROLE
CREATE ROLE
CONTROL ON DATABASE::<name>
VIEW DEFINITION ON ROLE::<name>
TAKE OWNERSHIP ON ROLE::<name>
ALTER ON ROLE::<name>
CONTROL ON ROLE::<name>
STATEMENTS:
ALTER ROLE <name> ADD MEMBER
DROP ROLE
CREATE ROLENOTES: Only members of the db_owner
fixed database role can add or remove
members from fixed database roles.
NOTES: To add a member to a fixed server role, you must be a member of
that fixed server role, or be a member of the sysadmin fixed server role.
Database Engine PermissionsMicrosoft SQL Server 2017 and Azure SQL Database
STATEMENTS:
CREATE LOGIN
ALTER LOGIN
DROP LOGIN
STATEMENTS:
CREATE DATABASE
ALTER DATABASE
DROP DATABASE
If you create a database
loginmanager role
USER DATABASE
CONTROL ON DATABASE::<name>
Azure SQL Database Permissions Outside the Database
STATEMENTS:
ALTER DATABASE SCOPED CONFIGURATION
Combined with TRUSTWORTHY allows delegation of authentication
BACKUP DATABASE
BACKUP LOG
CHECKPOINT
Top Level Server Permissions
Notes:• Server-Level Principal Logins are the Server admin and Azure Active Directory
Admin accounts.• Server-level permissions cannot be granted on SQL Database. Use the
loginmanager and dbmanager roles in the master database instead.
Application Role Permissions
CONTROL SERVER
VIEW ANY DEFINITION
ALTER ANY DATABASE
CONTROL ON DATABASE::<name>
VIEW DEFINITION ON DATABASE::<name>
ALTER ON DATABASE::<name>
ALTER ANY APPLICATION ROLE
CONTROL ON APPLICATION ROLE::<name>
VIEW DEFINITION ON APPLICATION ROLE::<name>
ALTER ON APPLICATION ROLE::<name>
STATEMENTS:
ALTER APPLICATION ROLE
DROP APPLICATION ROLE
CREATE APPLICATION ROLE
• SQL Database can be a push replication subscriber which
requires no special permissions.
processadmin role
bulkadmin role
db_owner role
db_ddladmin role
dbmanager role
Server-Level Principal Logins loginmanager role
sysadmin role
dbcreator role
db_owner role
db_accessadmin role
diskadmin role
setupadmin role
securityadmin role
serveradmin role
public role
db_backupoperator role
db_datareader roledb_denydatareader role
db_datawriter roledb_denydatawriter role
db_securityadmin role
public role
securityadmin role
db_ddladmin role
db_owner has all permissions in the database.
Notes:• In both SQL Server and SQL Database the public database role does not initially have access to any user objects.
The public database role has many grants to system objects, which is necessary to manage internal actions.
• In SQL Server 2016, the public database role has the VIEW ANY COLUMN MASTER KEY DEFINITION and VIEW ANY
COLUMN ENCRYPTION KEY DEFINITION permissions by default. They can be revoked.
Questions and comments tohttps://aka.ms/sql-permissions
February 28, 2018
© 2018 Microsoft Corporation. All rights reserved.
NOTES:
Database Scoped Credential Permissions ǂ
CONTROL SERVER
VIEW ANY DEFINITION VIEW DEFINITION ON DATABASE::<name>
REFERENCES ON DATABASE::<name>
CONTROL ON DATABASE::<name>
VIEW DEFINITION ON DATABASE SCOPED CREDENTIAL ::<name> ǂ
REFERENCES ON DATABASE SCOPED CREDENTIAL ::<name> ǂ
TAKE OWNERSHIP ON DATABASE SCOPED CREDENTIAL ::<name> ǂ
ALTER ON DATABASE SCOPED CREDENTIAL ::<name> ǂ
CONTROL ON DATABASE SCOPED CREDENTIAL::<name> ǂ
STATEMENTS:
ALTER DATABASE SCOPED CREDENTIAL ǂ
DROP DATABASE SCOPED CREDENTIAL ǂ
CREATE DATABASE SCOPED CREDENTIAL ǂ
ALTER ON DATABASE::<name>
ALTER ANY EVENT NOTIFICATION ALTER ANY DATABASE EVENT NOTIFICATION Database scoped event notifications
CREATE DDL EVENT NOTIFICATION
CREATE TRACE EVENT NOTIFICATION
CREATE DATABASE DDL EVENT NOTIFICATION Database scoped DDL event notifications
Event notifications on trace events
Note: EVENT NOTIFICATION permissions also affect service
broker. See the service broker chart for more into.
Event Notification Permissions (SQL Server only)
CONTROL SERVER CONTROL ON DATABASE::<name>
Note:
sysadmin fixed server role.
Assembly Permissions
VIEW ANY DEFINITION
ALTER ANY DATABASE ALTER ON DATABASE::<name> TAKE OWNERSHIP ON ASSEMBLY::<name>
ALTER ANY ASSEMBLY ALTER ON ASSEMBLY::<name>
VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON ASSEMBLY::<name>
CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON ASSEMBLY::<name>
STATEMENTS:ALTER ASSEMBLYDROP ASSEMBLY
REFERENCES ON DATABASE::<name> REFERENCES ON ASSEMBLY::<name>
CREATE and ALTER ASSEMBLY statements sometimes require server level EXTERNAL ACCESS ASSEMBLY and UNSAFE ASSEMBLY permissions, and can require membership in the CREATE ASSEMBLY CREATE ASSEMBLY
External Library Permissions
VIEW ANY DEFINITION
ALTER ANY DATABASE ALTER ON DATABASE::<name> TAKE OWNERSHIP ON EXTERNAL LIBRARY::<name>
ALTER ANY EXTERNAL LIBRARY ALTER ON LIBRARY::<name>
VIEW DEFINITION ON DATABASE::<name> VIEW DEFINITION ON EXTERNAL LIBRARY::<name>
CONTROL SERVER CONTROL ON DATABASE::<name> CONTROL ON EXTERNAL LIBRARY::<name>
STATEMENTS:ALTER EXTERNAL LIBRARYDROP EXTERNAL LIBRARY
CREATE EXTERNAL LIBRARY CREATE EXTERNAL LIBRARY
top related